I would like to allow / deny access to the net to clients
based on :
1. client IPs.
or
2. client IP + MAC
Rather than denying based on IP, especially in a DHCP environment where IPs could change, I would deny based on source MAC address. You would write a rule like this:
iptables -t filter -A FORWARD -o eth0 -m mac --mac-source 01:23:45:67:89:ab -j ACCEPT
This rule will allow the system with the mack address of 01:23:45:67:89:ab to access the internet. I would probably recommend that you add some filters to check that the destination IP and possibly port are valid. To do this you might want to jump to another chain to do the checking for you or have all traffic pass through that chain before hand.
iptables -t filter -A FORWARD -o eth0 -m mac --mac-source 01:23:45:67:89:ab -j DstIPandPortCheck
This would be such a rule to jump to the DstIPandPortCheck chain to do any additional validation.
Grant. . . .
